Date: Wed, 3 Nov 2004 11:38:06 GMT From: Pawel Wieleba <P.Wieleba@iem.pw.edu.pl> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/73448: [PATCH] nss_ldap - getpwnam does not return password hash when run as root Message-ID: <200411031138.iA3Bc66t035718@www.freebsd.org> Resent-Message-ID: <200411031140.iA3BeSit086811@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 73448
>Category: ports
>Synopsis: [PATCH] nss_ldap - getpwnam does not return password hash when run as root
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Nov 03 11:40:28 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Pawel Wieleba
>Release: FreeBSD 6.0-CURRENT
>Organization:
>Environment:
FreeBSD volt.iem.pw.edu.pl 6.0-CURRENT FreeBSD 6.0-CURRENT #0:
>Description:
A problem and the solution is described in the article:
www.iem.pw.edu.pl/~wielebap/ldap/nss_ldap/nss_ldap_doc.pdf
Used port net/nss_ldap version: 1.204_5
% cat /etc/nsswitch.conf
passwd: ldap files
group: ldap files
Programmes which use getpwnam() to authenticate ldap users
(eg. cucipop) does not work on FreeBSD when users has a shadowAccount
objectClass. In a heterogenous environments (mixed Linux and FreeBSD)
objectClass shadowAccount is essential.
On FreeBSD and other BSD OS's getpwnam system function returns full
password hash in the passwd structure, when run as root.
>How-To-Repeat:
Just run getpwnam().
% cat test_nss.c
#include <sys/types.h>
#include <pwd.h>
#include <stdio.h>
int main(int argc,char *argv[]) {
struct passwd *pass;
if (argc >1) {
pass=getpwnam(argv[1]);
} else {
printf("test_nss <ldap_username>\n");
}
if (pass != NULL) {
printf("Username info:\n");
printf("user:%s\n",pass->pw_name);
printf("pass:%s\n",pass->pw_passwd);
printf("dir:%s\n",pass->pw_dir);
printf("shell:%s\n",pass->pw_shell);
} else {
printf("User not found.\n");
}
return 0;
}
>Fix:
You can download patch from:
www.iem.pw.edu.pl/~wielebap/ldap/nss_ldap/patch-ldap-pwd.c
The patch:
%cat /usr/ports/net/nss_ldap/files/patch-ldap-pwd.c
--- ldap-pwd.c.orig Sat Oct 16 22:22:29 2004
+++ ldap-pwd.c Sun Oct 17 12:45:08 2004
@@ -92,19 +92,19 @@
size_t tmplen;
char *tmp;
- if (_nss_ldap_oc_check (ld, e, "shadowAccount") == NSS_SUCCESS)
- {
- /* don't include password for shadowAccount */
- if (buflen < 3)
- return NSS_TRYAGAIN;
-
- pw->pw_passwd = buffer;
- strcpy (buffer, "x");
- buffer += 2;
- buflen -= 2;
- }
- else
- {
+/* if (_nss_ldap_oc_check (ld, e, "shadowAccount") == NSS_SUCCESS)
+ * {
+ */ /* don't include password for shadowAccount */
+/* if (buflen < 3)
+ * return NSS_TRYAGAIN;
+ *
+ * pw->pw_passwd = buffer;
+ * strcpy (buffer, "x");
+ * buffer += 2;
+ * buflen -= 2;
+ * }
+ * else
+ */ {
stat =
_nss_ldap_assign_userpassword (ld, e, AT (userPassword),
&pw->pw_passwd, &buffer, &buflen);
If you apply the above patch getpwnam() will return password hash when ldap database is used. Now it would be tha same functionality as files or nis databases used.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411031138.iA3Bc66t035718>